The invention relates to a method and transaction interface for secure exchange between distinguishable networks, especially between an external network and an internal network, such as the Internet and a company-owned intranet.
Such methods and devices for secure exchange between networks with mostly different security standards belong to the prior art.
Thus isolation of an internal data network from the external network by a secure interface belongs to the prior art. In the best case, such a secure interface comprises an external server and an internal server, which are in data communication with one another via a firewall. Any customer requests received by the external server are processed in the external server and, after various security checks, are delivered via the firewall to the internal server, which ultimately accesses the data filed within the internal network to be protected.
The firewall disposed between the internal server and external server is supposed to prevent external sources from effecting transactions or changes, especially of improper nature, to the protected database of the internal network.
The actual effect of the firewall is to ensure that external customers lacking appropriate authorization cannot enter into data communication with the internal network and that, if data communication exists, impermissible data such as virus programs cannot be introduced through the firewall into the internal network. Consequently, desired customer service inquiries that are inherently permissible and necessitate internal data transactions are also blocked, for example, for lack of authorization.
A standard solution for this problem comprises opening an additional special customer gateway, which permits appropriate access. This in turn has the disadvantage that attacks on the internal database are now possible via this gateway, even though it is particularly secure.
Another solution leaves all customer questions of any type to the external server, and thus avoids any undesired risky direct data links to external sources. A disadvantage of this solution, however, is that any confidential customer data are temporarily stored on an unprotected external server. For this reason the data are frequently matched by reflection. Because of the resulting greater data volume, this is achieved at the cost of increased processor power, or poorer time response. Moreover, real-time access to the protected database of the internal network is hardly possible in this solution.
A solution to this problem is known from International Application WO 97/19611, in the form of a “security gateway interface” (SGI), which attempts to solve the described problem by providing that, in response to a customer request, authentication of the customer takes place first and, if the customer has the appropriate authorization, the external server then generates its own permissible inquiry on the basis of the customer inquiry. Hereby the data sent by the customer are truly decoupled from the data ultimately intended for further processing. The request generated by the external server is ultimately forwarded via the firewall to an internal server while further security routines are running and finally processed in the internal network, and a response to the user is sent via the external server. Therewith this system ensures complete decoupling of internal and external networks. Nevertheless, the problem remains unsolved that confidential user data still remain on the external server, largely unprotected against access by external sources. If an improper access to the external unprotected server is subsequently successful, some impermissible inquiries can be generated here by sufficiently skilled manipulation. This is possible in particular because authentication of the user inquiry necessarily takes place on the external server and thus in the largely nonsecure area of the system.